0

The method StartProcess() in WindowsApiManager.cs calls set_Arguments() to execute a command. This call might allow an attacker to inject malicious commands.

Getting the above issue while I am trying to pass file name and arguments to the start process.

I have tried with reguler expressions and path manipulation techniques but the fortify issue is still coming. If I hard code the file name and arguments to start the process then fortify issue is not coming

Please help me to resolve this.

Below is my code

var cProcess = new Process
                {
                    StartInfo =
                    {
                        FileName = sr, Arguments = arguments, WindowStyle = ProcessWindowStyle.Minimized,
                        UseShellExecute = false
                    }
                };
                cProcess.Start();
                return cProcess;
user1508503
  • 41
  • 1
  • 4
  • Can you show your code. – Flydog57 Nov 17 '21 at 05:46
  • var collabLiveProcess = new Process { StartInfo = { FileName = sr, Arguments = arguments, WindowStyle = ProcessWindowStyle.Minimized, UseShellExecute = false } }; collabLiveProcess.Start(); below is the Fortify issue – user1508503 Nov 17 '21 at 06:31
  • Command Injection (Input Validation and Representation, Semantic) The method StartProcess() in WindowsApiManager.cs calls set_Arguments() to execute a command. This call might allow an attacker to inject malicious commands. – user1508503 Nov 17 '21 at 06:32
  • Edit the question. Paste the code in (with new lines and indents. Then use the `{}` button to format it "as code" – Flydog57 Nov 17 '21 at 07:17
  • 1
    My *guess* is that you get this warning because you assign a user-supplied value to Arguments. It probably isn't clever enough to understand that you already prevented injection by filtering out problematic values (as I assume you did with that regex) – Hans Kesting Nov 17 '21 at 09:07
  • Thank you Hans Kesting. Yes I have added regex validations. Only if I hard coded the values of file name and arguments then only fortify issue is not coming. But this hard coding is not a good programming practice. – user1508503 Nov 17 '21 at 09:54

0 Answers0